Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#70822 - [libxml2] [security] CVE-2021-3537

Attached to Project: Arch Linux
Opened by mysta (mysta) - Wednesday, 12 May 2021, 15:52 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 15 May 2021, 09:26 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan de Groot (JGC)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Attached diff adds an upstream patch for CVE-2021-3537 to the libxml2 package.

Additional info:
Switching to git master might be worth considering if they won't make a release with all these fixes...

https://security.archlinux.org/CVE-2021-3537
This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 15 May 2021, 09:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  libxml 2.9.12-1
Comment by Jonas Witschel (diabonas) - Wednesday, 12 May 2021, 16:18 GMT
I'll note that there are several more open CVEs (CVE-2021-3516, CVE-2021-3517, CVE-2021-3518) in libxml2, the corresponding commits for fixing them are as follows:

https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 # CVE-2021-3516
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 # CVE-2021-3517
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 # CVE-2021-3518
Comment by mysta (mysta) - Wednesday, 12 May 2021, 16:46 GMT
I tried to make an updated diff but 1098c30a040e72a4654968547f415be4e4c40fe7 does not apply cleanly.

There was another null deference fix just two days ago:

https://gitlab.gnome.org/GNOME/libxml2/-/commit/bfd2f4300fb348a0fb8265a17546a0eb8bdec719

My suggestion is now to just use the master branch until a release is cut, which this v2 diff does.
Comment by mysta (mysta) - Thursday, 13 May 2021, 22:05 GMT
This can be closed now.

Loading...